A Trojan was recently planted on the web page of the Miami Dolphin's Super Bowl web site. The Trojan was a script that would download a malicious file onto the user's computer - if the user was not current on their security patches or not using NOD32.
Websense first identified the compromised website through the use of their automated honeyclients, which in turn automatically blocked access to some Super Bowl related sites for their customers. For their write up see (http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733). When some of Websense's customers reported a "false positive" Websense investigated and discovered that the Miami Dolphin's web site had been hacked and an exploit planted.
At this point Dan Hubbard from Websense called Law enforcement and the ISOTF (remember http://www.forbes.com/security/2007/01/26/security-phishing-microsoft-tech-security-cx_ll_0126microsoft.html) into action and began investigating and working to help get the Super Bowl site cleaned up, as well as trying to get the site hosting the malicious executable file taken down. Additionally members of the ISOTF have been identifying compromised web sites and notifying system administrators.
Fortunately for users of NOD32, this Trojan was already with our advanced heuristics. Fortunately for those users who patch their systems and use no AV or some other AV, they didn't get infected either. The attack relied upon users not patching their Windows operating system. Those users who use automatic updates had been protected for quite a while.
The continuing investigation has revealed that the same exploit had been planted on a large number of web sites, including the U.S. government's Centers for Disease Control and Prevention Health Marketing site.
This example points to a dangerous trend of the bad guys hacking legitimate web sites and planting exploit code there. It is pretty easy for a concerned user to avoid most suspicious web sites, but there would be no reason for a user to avoid http://www.dolphinstadium.com/ or http://www.cdc.gov/.
Using reasonable precautions when surfing the web can help prevent a lot of problems, but it is just one layer of defense. The use of anti-virus software is another useful layer.
Bleedingthreats.net also has free snort signatures available for this exploit for people using compatible intrusion prevention system. Most (but not all) of the people using these systems are corporate security managers.
The SANS Internet Storm Center (http://isc.sans.org/) is keeping abreast of any new developments as well.
What was the point of the Trojan? It appears that it wanted passwords, possibly for World of Warcraft.
I'll fill you in when I have a more detailed analysis.
Randy Abrams
Director of Technical Education
